Researchers at the cybersecurity firm UpGuard on Wednesday said it discovered the existence of two datasets together containing the personal data of hundreds of millions of Facebook users. Both data sets were left publicly accessible.

In a blog post, the company tied one of the leaky databases to a Mexico-based media company called Cultura Colectiva. It reportedly contains over 146 GB of data, amounting to over 540 million records on Facebook users, including comments, likes, reactions, account names, Facebook user IDs, and more.

A second leak, linked to a Facebook-integrated app called “At the pool,” left exposed roughly 22,000 Facebook passwords, stored in plaintext, according to UpGuard. The database also contained information about users’ friends, likes, groups, and locations where they had checked in, the firm said.

Both data sets were found stored in an unsecured Amazon S3 bucket and could be accessed by virtually anyone. The buckets have since been secured or taken offline.

“The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each,” UpGuard said. “What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers.”

Added Upguard: “As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.”

Facebook gave the following statement:

“Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”